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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was 
established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment 
to the Inspector General Act of 1978. This is one of a series of audit, inspection, and 
special reports prepared as part of our oversight responsibilities to promote economy, 
efficiency, and effectiveness within the department. 

The attached report presents the results of the Federal Emergency Management Agency 
(FEMA) fiscal year 2008 Mission Action Plans audit. We contracted with the 
independent public accounting firm KPMG LLP (KPMG) to perform the audit. The 
contract required that KPMG perform its audit according to generally accepted 
government auditing standards. KPMG is responsible for the attached independent 
auditor's report and the conclusions expressed in it. 

The recommendations herein have been discussed in draft with those responsible for 
implementation. It is our hope that this report will result in more effective, efficient, and 
economical operations. We express our appreciation to all of those who contributed to 
the preparation of this report. 




Richard L. Skinner 
Inspector General 




KPMG LLP 

2001 M Street, NW 
Washington, DC 20036 



Telephone 202 533 3000 
Fax 202 533 B500 

Internet www.us.kpmg.com 



February 22, 2008 

Ms. Anne Richards 

Assistant Inspector General for Audit 

Department of Homeland Security, Office of the Inspector General 

Mr. David Norquist 
Chief Financial Officer 
Department of Homeland Security 

This report presents the results of our work conducted to address the performance audit objectives relative 
to the Department of Homeland Security's (DHS or the Department) Mission Action Plans (MAPs) 
developed to address the internal control deficiencies at the Federal Emergency Management Agency 
(FEMA). These deficiencies were identified by management and/or reported in the Independent 
Auditors' Report included in the Departments fiscal year 2007 Annual Financial Report {herein referred 
to as the "FY 2007 Independent Auditors' Report"). 

This performance audit is the fourth in a series of four performance audits that the Department's Office of 
Inspector General ("OIG") engaged us to perform related to the Department's fiscal year 2008 MAPs for 
use in developing the Department's Internal Control Over Financial Reporting ("ICOFR") Play book. 
This performance audit was designed to meet the objectives identified in the Objectives, Scope, and 
Methodology section of this report. Our procedures were performed using draft MAPs provided to us on 
January 22, 2008. Interviews with DHS and FEMA management and other tcstwork, was performed at 
various times through February 12, 2008, and our results reported herein are as of February 22, 2008. 

We conducted this performance audit in accordance with generally accepted government auditing 
standards (GAS). Those standards require that wc plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on 
our audit objectives. 

This performance audit did not constitute an audit of the financial statements in accordance with GAS. 
KPMG was not engaged to, and did not, render an opinion on the Department's or FEMA's internal 
control over financial reporting or over financial management systems (for purposes of OMB's Circular 
No. A-127, Financial Management Systems, July 23, 1993, as revised). KPMG cautions that projecting 
the results of our evaluation to future periods is subject to the risks that controls may become inadequate 
because of changes in conditions or because compliance with controls may deteriorate. 
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EXECUTIVE SUMMARY 



The Department has identified deficiencies in internal control over financial reporting through its annual 
assessment conducted pursuant to OMB (Office of Management and Budget) Circular No. A- 123, 
Management's Responsibility for Internal Control, and in compliance with the Federal Managers' 
Financial Integrity Act (FMFIA). Some of the deficiencies were identified as material weaknesses, by 
DHS' external financial statement auditor. Beginning in 2006, the Department launched a comprehensive 
corrective action plan to remediate known internal control deficiencies. The plan is documented in the 
Internal Controls Over Financial Reporting Playbook (ICOFR Playbook). The Mission Action Plan 
(MAP) is a key element of the ICOFR Playbook that documents the remediation actions planned for each 
internal control deficiency at the DHS component level. The MAP provides specific actions, timeframes, 
key milestones, assignment of responsibility, and the timing of corrective action validation. 

The Federal Emergency Management Agency (FEMA) developed four MAPs to be included in the 2008 
ICOFR Playbook. The MAPs are intended to address control deficiencies identified in Financial 
Management, Entity Level Controls (ELC), Financial Reporting, Actuarial and Other Liabilities, 
Budgetary Accounting, and Capital Assets and Supplies. 

The objective of this performance audit was to evaluate and report on the status of the four detailed MAPs 
prepared by FEMA to correct the internal control deficiencies over financial reporting described above. 
We conducted our audit in accordance with the standards applicable to such audits contained in the 
Government Auditing Standards, issued by the Comptroller General of the United States. Our audit was 
performed using specific criteria to assess the MAP development process used by FEMA, and to evaluate 
the MAPs submitted by FEMA to the Department's Chief Financial Officer for inclusion in the 2008 
ICOFR Playbook. 

The evaluation criteria were developed from a variety of sources including technical guidance published 
by OMB, the Government Accountability Office, and from applicable laws and regulations. We also 
considered DHS' policies and guidance, and input from the Office of Inspector General when designing 
evaluation criteria. Our evaluation criteria were: 

1. Identification (of the root cause) - Identification of the appropriate underlying root cause that is 
causing the internal control deficiency condition(s). 

2. Development (of the MAP) - Clear action steps that address the root cause, and attainable and 
measurable milestones at an appropriate level of detail. 

3. Accountability (for execution of the MAP) - The individual MAP owner is responsible for its 
successful implementation, ensuring that milestones are achieved and that the validation phase is 
completed. 

4. Verification and validation - The MAP includes written procedures to verify successful 
implementation of the MAP, a means to track progress throughout the MAP lifecycle, and 
reporting results when complete. 

In summary, we noted that FEMA has prepared MAPs to address its known control deficiencies described 
above. In addition, FEMA made certain modifications to the ICOFR Playbook, after their MAPs were 
submitted to the DHS CFO e.g., adding milestones, that were not reflected in the MAPs. We considered 
those modifications in drafting our report, however due to the timing of our review, we were unable to 
perform audit procedures on those modifications. 

We noted areas where the MAPs could be improved. Specifically, we noted that the MAP Summary and 
Detailed Report documents (described in the Key Documents and Definitions section of this report) could 
be improved. The root cause analysis is often only generally defined and in some cases is a condition or 
symptom of the problem, instead of describing the underlying issue. The milestone steps are not clearly 
linked to root causes or financial statement assertions, and the MAPs do not contain the depth of analysis 
and independent consideration that is required by the Department's MAP Guide. The MAPs could be 
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improved by expanding the milestones to include more detailed steps, including measurable action steps 
that would remediate the root cause of the control deficiencies. 

Critical dependencies are not clearly identified within each MAP and affected milestones, for example 
interdependencies between certain milestones, accounting processes, and other Federal agencies. In 
addition, the MAPs do not reflect FEMA's dependence on the Department for various policies and 
procedures, and executive management support for organizational change needed to remediate FEMA's 
entity level control deficiency. In addition, the MAPs do not include detailed procedures to assess the 
functionality of current information technology (IT) system used in affected processes. FEMA's IT 
systems influence their ability to maintain an accurate accounting after corrective actions are taken. 

The milestones do not separately address the need for "catch-up" or financial statement true-up actions, to 
reconcile the backlog of old mission assignments, or to establish a beginning inventory of capital assets. 

In addition, as written, the FEMA MAPs lack a complete plan for verification and validation of MAP 
results that can be used to monitor and report results, and the MAPs are not clearly linked to the 
Department's OMB Circular A-123 initiatives currently underway. 

We recommend that FEMA continue to perform an in-depth root cause analysis until management has 
fully determined why, when, and how the control deficiencies occurred. FEMA should expand the MAPs 
to include more detail, measurable action steps, specific actions, assignments to individuals, link the 
milestones to root causes and financial statement assertions, and update the time-line for completion. 
FEMA should prioritize the MAPs and milestone actions to focus on areas that may result in cross-cutting 
benefits, and minimize duplication of effort where corrective actions overlap (i.e., correction of IT system 
posting logic errors may resolve multiple issues, or mitigate the need for process changes). 

FEMA should identify and document its consideration of all significant interdependencies, with 
overlapping processes and other FEMA MAPs, other Departmental MAPs, and other actions that need to 
be taken by other Federal agencies. FEMA should also include specific assessments of IT systems in the 
early stages of the MAP process, to ensure that FEMA's IT systems are able to support updated 
procedures, corrected processes, and new internal control procedures. 

We recommended that FEMA revise the MAPs to separate the financial statement balance reconciliation 
and corrective adjustment procedures from the process and control redesign aspect of the MAPs - 
separating the historical and prospective elements of the MAP. Historical actions are generally one-time 
events, while the prospective actions will likely require systemic, organizational, procedural, and process 
changes, which may be more complex. 

When the MAPs are further developed, including the updates made in the ICOFR Playbook, develop a 
plan to verify and validate MAP results. 
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BACKGROUND 



The Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) 
recognize that deficiencies in internal control over financial reporting exist. The internal control 
deficiencies are reported by DHS management in its annual Secretary's Assurance Statement, issued 
pursuant to OMB Circular A-123, Management's Responsibility for Internal Control. The Secretary's 
Assurance Statement, and the findings of the external auditor, is reported in the Department's fiscal year 
2007 Annual Financial Report (AFR). The conditions causing the internal control weaknesses are diverse 
and complex. Many conditions, which are systemic, were inherited with the legacy financial processes 
and IT systems in place at the time of the Department's formation in 2003. The evolution of the 
Department's mission, programs, component restructuring, and other infrastructure changes, has made 
remediation of these internal control weaknesses very challenging. To meet this challenge the 
Department's Secretary, Chief Financial Officer and Financial Management in the DHS components 
adopted a comprehensive strategy to implement corrective actions beginning in fiscal year (FY) 2007 and 
continuing in future years. 

The Office of the Chief Financial Officer (OCFO), Internal Control Program Management Office 
(ICPMO) is primarily responsible for the development and implementation of the Department's strategy 
to implement mission action plans. The ICPMO has documented their strategy and other related plans to 
remediate identified internal control deficiencies, in the Internal Controls Over Financial Reporting 
Playbook (ICOFR Playbook). 

In 2006, the Department issued Management Directive 1030, Corrective Action Plans, and the 
Department enhanced its existing guidance by issuing the Mission Action Plan Guide, Financial 
Management Focus Areas Fiscal Year 2008 (MAP Guide). In accordance with the MAP Guide, the 
Department and the components developed Mission Action Plans (MAP), which describe the corrective 
actions to be implemented. The Department continued to utilize an Electronic Program Management 
Office (ePMO), a Web-based software application, to manage the collection and reporting of MAP 
information. 

The MAP guide is applicable to all Department components, including FEMA, and outlines the policies 
and procedures necessary to develop fiscal year 2008 Department MAPs. All components were required 
to submit MAPs, or MAP updates, for any new or existing internal control deficiencies over financial 
reporting, identified by management or the external auditors, for incorporation into the fiscal year 2008 
ICOFR Playbook. 

To comply with Management Directive 1030, and the MAP Guide, FEMA prepared four detailed MAPs 
for fiscal year 2008, to address the internal control deficiencies over Financial Management and Entity 
Level Controls; Financial Reporting; Capital Assets and Supplies; Actuarial and Other Liabilities; and 
Budgetary Accounting that contributed to Departmental material weaknesses in the FY 2007 Independent 
Auditors' Report, which are summarized below: 

• Financial Management and Entity Level Controls, and Financial Reporting - FEMA has not 
established the financial management organizational structure with clear oversight and 
supervisory review functions necessary to support the development and implementation of 
effective policies, procedures, and internal controls over financial reporting. This structure is 
needed to ensure that accounting principles are correctly applied and accrued financial data is 
submitted to the OCFO for consolidation timely. 

• Capital Assets and Supplies - FEMA maintains a stockpile inventory of seven life-saving 
commodities for use in disaster relief efforts. FEMA did not fully adhere to policies and 
procedures when performing its annual physical count of its stockpile inventory. Furthermore, 
FEMA did not record the activity related to the stockpile inventory within its general ledger 
throughout the year under the consumption method. 
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• Actuarial and Other Liabilities - In FY 2007, the Office of Grants and Training (G&T)'s 
operations were transferred to FEMA as part of the Post Katrina Emergency Management Reform 
Act of 2006. FEMA was unable to develop and apply a reliable estimation methodology to 
accrue non-federal grants payable or advances related to the former G&T portfolio of grants in the 
Department's financial statements. The development of the methodology would include the 
validation of data inherited and the assumptions made. 

• Budgetary Accounting - A "mission assignment" is the vehicle used by FEMA to support Federal 
operations during a major disaster or emergency declaration covered under the Stafford Act. 
FEMA has not adequately monitored the status of its mission assignment obligations nor ensured 
the timely deobligation of mission assignments. The control weaknesses surrounding these 
mission assignments may allow a material misstatement of the related undelivered orders to go 
undetected. During FY 2007 FEMA was unable to obtain timely documentary evidence, 
including sufficient cost/billing data from other Federal agencies supporting the progress of active 
mission assignments, and therefore was not able to deobligate or validate the continued carrying 
of mission assignment undelivered orders timely. 

OBJECTIVE, SCOPE, AND METHODOLOGY 

Objective 

The objective of this performance audit was to evaluate and report on the status of detailed MAPs 
prepared by FEMA to correct internal control deficiencies over financial reporting. Our evaluation was 
performed using specific criteria, described in the methodology section below, to assess the process used 
to develop and document FEMA's fiscal year 2008 MAPs. We did not evaluate the outcome of the MAP 
process or any corrective actions taken by management during our audit, and our findings should not be 
used to project ultimate results from MAP implementation. Recommendations are provided to help 
address findings identified during our performance audit. 

Scope 

The scope of this performance audit includes FEMA's MAPs developed to address the Financial 
Management and Entity Level Controls and Financial Reporting; Capital Assets and Supplies; Actuarial 
and Other Liabilities; and Budgetary Accounting internal control deficiencies at FEMA in the Secretary's 
Assurance Statement and in the FY 2007 Independent Auditors' Report. The MAPs subjected to our 
evaluation were provided to us by the OCFO, on behalf of FEMA, on January 22, 2008. 

Certain modifications were made to the ICOFR Playbook, after January 22, 2008, e.g., adding milestones, 
that were not reflected in the MAPs. We considered those modifications in drafting our report, however 
due to the timing of our review, we were unable to perform audit procedures on those modifications. 

The scope of this performance audit did not include procedures on any of the MAPs associated with other 
control deficiencies existing at FEMA as reported in the FY 2007 Independent Auditors' Report. Our 
performance audit was performed between January 22, 2008 and February 12, 2008, and our results 
reported herein are as of February 22, 2008. 

Methodology 

We conducted this performance audit in accordance with the standards applicable to such audits contained 
in the Government Auditing Standards, issued by the Comptroller General of the United States. Our 
methodology consisted of the following four-phased approach: 

Project Initiation and Planning - We attended meetings with the Department's OIG, OCFO, and FEMA 
to review the performance audit objectives, scope, describe our approach, communicate data requests, and 
to gain an understanding of the status of FEMA's 2008 MAPs. 
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Data Gathering - We performed interviews with Accounting and Finance management and staff at 
FEMA and OCFO. Through these interviews, we gained an understanding of the process used to develop 
the MAPs, including key inputs and data used, assumptions made, and reasons for conclusions reached. 
The interviews focused on the analysis performed by FEMA to identify the underlying problems creating 
the internal control weakness (root cause) and planned corrective actions, the critical milestones chosen 
for measurement, and the methods used to monitor and validate progress in meeting the milestones. We 
discussed FEMA's resource allocation strategy employed in the development and eventual 
implementation of the MAP, including the utilization of contractors to supplement staff as needed and the 
use of specialists, if necessary. We also conducted meetings with the Department's OIG to identify and 
agree to the criteria used to evaluate the status of the MAPs (as defined below). 

We also performed reviews of key documents and supporting information provided to us by OCFO. Our 
documentation reviews included: 

• The four FEMA MAPs (i.e., the MAP Detail and Summary Reports) that were included within 
our scope, and any underlying supporting documentation provided by the components. 

• The Notices of Findings and Recommendations (NFRs) issued during the FY 2007 financial 
statement audit by the external auditors that supported the internal control findings reported in the 
FY 2007 Independent Auditors' Report. 

• Information provided by FEMA management regarding the allocation of resources related to all 
MAPs, including the utilization of contractors. , 

• The Annual Component Head Assurance Statements provided pursuant to the requirements of 
OMB Circular A- 123. 

• The ICOFR Playbook, MD 1030, the MAP Guide, and existing internal control monitoring 
guidance (e.g., OMB Circular No. A-123). 

Analysis Using Established Criteria - Our evaluation criteria were developed from a variety of sources 
including technical guidance published by OMB, e.g., Circular A-123, the GAO, e.g. Standards for 
Internal Control in the Federal Government, and applicable Federal laws and regulations, e.g., FMFIA. 
We also considered DHS' policies and guidance, e.g. the MAP Guide and the ICOFR Playbook, and input 
from the Office of Inspector General. Our evaluation criteria were: 

1 . Identification (of the root cause) - Identification of the appropriate underlying root cause that is 
causing the internal control deficiency. A comprehensive analysis typically includes a full assessment 
of the business processes, data flows, and information systems that drive the transactions/activities 
associated with the accounting process where the internal control deficiencies are believed to exist. A 
thorough root cause analysis should include: 

a) Research to discover why, when, how the condition occurred - what went wrong and why? 

b) Investigation to determine if the problem is procedural or human resources, or both. 

c) An evaluation to determine if IT system functionality is contributing to the problem and if IT 
system modifications could be part of the remediation. 

d) An evaluation of internal controls, including the existence of compensating controls that may 
mitigate the deficiency. 

2. Development (of the MAP) - The MAP includes action steps that address the root cause, and 
attainable and measurable milestones at an appropriate level of granularity. Milestones should enable 
independent analysis of a MAP's effectiveness in remediation of root causes and provide MAP users 
with insight on the status of the MAP's implementation. For example, the MAP should enable a user 
to determine if the appropriate level of resources to execute a milestone is available and to identify 
potential gaps in milestones (e.g. a contractor may be needed before a specific milestone can be 
achieved). 
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3. Accountability (for execution of the MAP) - Accountability for the MAP is clearly identified and 
assigned. The individual MAP owner is responsible for its successful implementation, ensuring the 
achievement of milestones and validation of results. 

4. Verification and Validation - The MAP includes written procedures that verify successful 
implementation of the MAP, a means to track progress throughout the MAP lifecycle, and reporting 
results when complete. These activities should include documentation reviews, work observations, 
and performance testing, that is maintained for internal OMB A- 123 review and external audit. 

Results - Findings and Recommendations - After conducting our analysis procedures described above 
and applying the evaluation criteria to the MAPs, we formulated our findings and recommendations. The 
findings represent areas for potential improvement that could negatively affect FEMA's remediation of 
the material weaknesses if the MAP is performed as designed. 

FINDINGS AND RECOMMENDATIONS 

Findings 

FEMA prepared and submitted MAPs to the OCFO as instructed in the MAP Guide. The MAPs address 
each of the four primary processes where control deficiencies existed at the end of FY 2007. FEMA's 
documentation of its root cause analysis was limited to the information provided on the MAP. 
Consequently, our review of FEMA's work supporting its MAP was limited to reading the MAP, 
comparing the information to the DHS FY 2007 Independent Auditors' Report, and inquiry with various 
FEMA personnel and management. Based on our inquiry with FEMA personnel, we determined that 
FEMA was knowledgeable of the MAP Guide, performed a limited review to determine the source and 
cause of control deficiencies, and incorporated the results into the individual MAPs in the form of 
milestones. 

FEMA management exhibited an understanding of the issues and described some corrective actions that 
were not always documented in the MAP. Further, in coordination with the OCFO, FEMA updated its 
corrective action milestone schedule in the ICOFR Playbook in response to some of the findings 
described below. We considered those modifications in drafting our report, however due to the timing of 
our review; we were unable to perform audit procedures on changes made to the ICOFR Playbook after 
January 22, 2008. 

Our findings are: 

• The MAP Summary and Detailed Report documents that support the ICOFR Playbook could be 
improved. 

- The root cause analysis is often only generally defined and in some cases is a condition or 
symptom of the problem, instead of the describing the underlying issue, e.g., "Lack of 
resources to perform approvals due to increased volume of activity resulting from recent 
disasters" or "FEMA lacks formalized policies related to grant accrual methodology." 
The root cause analysis documented in the MAPs does not always describe why, when, 
and how the conditions occurred. 

- The milestone steps are not clearly linked to root causes. As a result, we could not 
determine how the milestones related to the issues identified and root causes, or if the 
milestones listed in the FEMA MAP sufficiently addressed all root causes and 
corresponding control deficiencies. 

- The MAPs do not contain the depth of analysis and independent consideration that is 
contemplated by the Departments MAP Guide. In addition, there appears to be a reliance 
on the DHS FY 2007 Independent Auditors' Report to identify conditions leading to 



7 



internal control deficiencies, in lieu of an independent analysis as suggested by the MAP 
Guide. 

- Each of the MAPs lacks an appropriate degree of detail, including measurable action 
steps or milestones necessary to remediate the root cause of the control deficiencies. For 
example, the actuarial and other liabilities MAP contain the milestone "Develop grant 
accrual model." However, it is not clear how the model is going to be developed. 

- The MAPs do not build out specific actions and a clear time-line with milestones 
including who will do the work, the actions to take, how results will be documented and 
verified, and when the account balances will be ready for audit. Milestone due dates are 
sometimes listed as "TBD." 

- The financial statement assertion sections of the MAPs were not complete at the time of 
our audit, and consequently, the MAP milestones are not linked to the financial statement 
assertions (e.g., completeness, accuracy, and existence) affected by the control 
weaknesses. 

• Critical dependencies are not clearly identified within each MAP and affected milestones. Key 
relationships may exist between: 

- Certain milestones (e.g., computation of the grant accrual and access to reliable data); 

- Accounting processes (e.g., entity level controls and accounting for mission 
assignments); and 

- Third parties, e.g., other Federal agencies who receive mission assignments. For 
example, the Budgetary Accounting MAP did not include milestone to correspond with 
grantees to determine what information is available and how to improve communication 
(lack of communication was identified as a root cause issue). 

In addition, FEMA is dependent on the Department for various policies and procedures, and 
executive management support for organizational change needed to remediate FEMA's entity 
level control deficiency. In addition, FEMA's IT systems affect their ability to maintain an 
accurate accounting after corrective actions are taken. For example, the Capital Assets and 
Supplies MAP does not include milestones for determining the sufficiency of the property 
management system, and maintenance of a reliable perpetual inventory. 

• The milestones do not separately address the need for "catch-up" activity to reconcile the backlog 
of old mission assignments, or to establish a beginning inventory of capital assets. Mission 
assignments and capital assets require substantial effort to correct the beginning balance for 
financial statement purposes. Those MAPS should include specific steps to (1) correct balances 
to be accurate and complete on a specified historical date, e.g., September 30, 2007, and (2) 
maintain an accounting for those balances prospectively. 

• As written, the FEMA M APs lack a complete plan for verification and validation of MAP results 
that can be used to monitor and report results, and the MAPs are not clearly linked to the 
Department's OMB Circular A-123 initiatives currently underway. 

Recommendations 

As mentioned in the introductory paragraphs to the Findings section, management has indicated several of 
the findings described above were addressed by FEMA after the date of our audit, resulting in updated 
milestones in the ICOFR Playbook. Due to the timing of our audit, we were unable to complete 
procedures to determine how the ICOFR Playbook changes might affect our recommendations below. 

We recommend that FEMA perform the following to address our findings. 
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1 . Review each MAP and: 

a. Continue to perform an in-depth root cause analysis until management has fully examined 
why, when, and how the control deficiencies occurred. Expand the MAPs to include more 
detail, measurable action steps, specific actions, assignments to individuals, link the 
milestones to root causes and financial statement assertions, and a time-line for completion. 
The MAP and milestone chart will likely require periodic updates as management proceeds 
with its corrective actions; 

b. Avoid reliance on the Independent Auditors' report as a source for causes of control 
deficiencies. A financial statement audit is not designed to identify all of the causes of a 
control deficiency, and consequently, management should perform an independent 
assessment, to be sure the MAP will fully and truly correct the issues identified; 

c. Prioritize the MAPs and milestone actions to focus on areas that may result in cross-cutting 
benefits, and minimize duplication of effort where corrective actions overlap (i.e., correction 
of IT system posting logic errors may resolve multiple issues, or mitigate the need for process 
changes). Avoid devoting resources to milestones designed to address symptoms of 
deficiencies, except when it is necessary to accurately and completely state financial 
statement balances; 

2. Identify and document consideration of all significant dependencies, with overlapping processes, 
other FEMA MAPs, other Departmental MAPs, and actions that need to be taken by other Federal 
agencies. Perform process/sub-process analysis at a detailed activity or transaction level to identify 
all control and process deficiencies. This analysis should include a walkthrough or "test drive" of the 
activity/process flow with actual data or transactions. This will facilitate FEMA' s ability to develop 
crosscutting MAPs that include any potential interrelationships between processes or other MAPs. 

3. Include specific assessments of IT systems in the early stages of the MAP process to ensure that 
FEMA's IT systems are able to support updated procedures, corrected processes and new internal 
control procedures. 

4. Revise the MAPs to separate the financial statement balance reconciliation and corrective adjustment 
procedures from the process and control redesign aspect of the MAPs - separating the historical and 
prospective elements of the MAP. Historical actions are generally one-time events, while the 
prospective actions will likely require systemic, organizational, procedural, and process changes, 
which may be more complex. 

5. When the MAPs are further developed, including the updates made in the ICOFR Playbook, develop 
a plan for verification and validation of MAP results that can be used to monitor and report results. In 
addition, we recommend that FEMA link the MAPs to the Departments OMB Circular A- 123 
initiatives currently underway. 

MANAGEMENT RESPONSE TO REPORT 

Management has prepared an official response presented as a separate attachment to this report. 
In summary, management agreed with our findings and its comments were responsive to our 
recommendations. We did not audit management's response and, accordingly, we express no 
opinion on it. 
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KEY DOCUMENTS AND DEFINITIONS 



This section provides key definitions and documents for the purposes of this report. 

The Federal Managers ' Financial Integrity Act (FMFIA) requires that Executive Branch Federal agencies 
establish and maintain an effective internal control environment according to the standards prescribed by 
the Comptroller General and specified in the Government Accountability Office's (GAO) Standards for 
Internal Control in the Federal Government. In addition, it requires that the heads of agencies to 
annually evaluate and report on the effectiveness of the internal control and financial management 
systems. 

GAO's Standards for Internal Control in the Federal Government (Standards) defines internal control as 
an integral component of an organization's management that provides reasonable assurance of: 
effectiveness and efficiency of operations, reliability of financial reporting, and compliance with 
applicable laws and regulations. 

The Department of Homeland Security Financial Accountability Act (the DHS FAA) designates the 
Department's Chief Financial Officer (CFO), under the authority of the Secretary, as the party responsible 
for the design and implementation of Department-wide internal controls. Furthermore, the DHS FAA 
requires that a management's assertion and an audit opinion of the internal controls over financial 
reporting be included in the Department's annual Performance and Accountability Report. 

Office of Management and Budget (OMB) Circular No. A- 123, Manasement's Responsibility for 
Internal Control, provides guidance on internal controls and requires agencies and Federal managers to 
1) develop and implement management controls; 2) assess the adequacy of management controls; 3) 
identify needed improvements; 4) take corresponding corrective action; and 5) report annually on 
management controls. The successful implementation of these requirements facilitates compliance with 
both FMFIA and the DHS FAA. 

Office of Management and Budget (OMB) Circular No. A- 127. Financial Management Systems. 
prescribes policies and standards for executive departments and agencies to follow in developing, 
operating, evaluating, and reporting on financial management systems. The successful implementation 
of these requirements facilitates compliance with both FMFIA and the DHS FAA. 

Internal Control Deficiencies - A control deficiency exists when the design or operation of a control 
does not allow management or employees, in the normal course of performing their assigned functions, 
to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or 
combination of control deficiencies, that adversely affects DHS' ability to initiate, authorize, record, 
process, or report financial data reliably in accordance with U.S. generally accepted accounting 
principles such that there is more than a remote likelihood that a misstatement of DHS' financial 
statements that is more than inconsequential will not be prevented or detected by DHS' internal control 
over financial reporting. A material weakness is a significant deficiency, or combination of significant 
deficiencies, that results in more than a remote likelihood that a material misstatement of the financial 
statements will not be prevented or detected by DHS' internal control. 

Management Directive (MP) 1030, Corrective Action Plans, establishes the "Department's vision and 
direction on the roles and responsibilities for developing, maintaining, reporting, and monitoring MAPs 
specific to the DHS Financial Accountability Act, FMFIA, and related OMB guidance." In addition to the 
roles and responsibilities, MD 1030 outlines the policies and procedures related to the MAP process. The 
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organizational structure detailed in MD 1030 encompasses employees at both the component and 
department levels. 

The Internal Controls Over Financial Reporting (ICOFR) Playbook (ICOFR Plavbook - ) was developed 
by the OCFO, Internal Control Program Management Office, to assist the Department in meeting the 
financial accountability requirements outlined in the DHS FAA. The ICOFR Playbook outlines the 
Department's "strategy and process to resolve material weaknesses and build management assurances." 
On an annual basis, the ICOFR Playbook is updated by the OCFO to enhance its exiting guidance, as 
necessary, and establish milestones, which will be monitored by the OCFO throughout the year. A 
component of the ICOFR Playbook is MAPs developed by the Department and its components to correct 
internal control deficiencies. 

The Mission Action Plan Guide, Financial Management Focus Areas Fiscal Year 2008 (MAP Guide') 
outlines the policies and procedures to be used to develop MAPs throughout DHS, pursuant to the roles 
and responsibilities established by the DHS Management Directive (MD) 1030, Corrective Action Plans. 
The MAP Guide applies to all Department Components and Offices (e.g., OFM) where a control 
deficiency has been identified. Note non-conformances related to the Federal Information Security 
Management Act (FISMA), are under the purview of the Department's Chief Information Security 
Officer 's Plan of Action and Milestones (POA&M) Process Guide. 

Electronic Program Management Office (ePMO) is a Web-based software application the OCFO 
deployed to manage the collection and reporting of MAP information. 

Mission Action Plans (MAPs). as defined in the MAP Guide, are documents prepared to facilitate the 
remediation of internal control deficiencies identified by management or by external parties. MAP 
documentation, as described in detail in the MAP Guide, includes a MAP Summary Report and a MAP 
Detailed Report that are required to be submitted to the OCFO through ePMO. Below are brief 
descriptions of the MAP Summary and MAP Detailed Reports, based on the ePMO MAP Reports Quick 
Guide contained in the MAP Guide: 

• The MAP Summary Report contains sections to describe the issue (e.g. internal control deficiency 
conditions), results of the root cause analysis performed, relevant financial statement assertions 
affected by the issue, key strategies and performance measures, resources required, an analysis of 
the risks and impediments as seen by management, verification and validation methods, and the 
critical milestones to be achieved. 

• The MAP Detailed Report provides additional data on the milestones, not only on those identified 
as critical but also those sub-milestones under a critical milestone. For each milestone (critical or 
sub), the following data is reflected: due date, percentage of completion, status (e.g., Not Started, 
Work in Progress and Completed), and the responsible and assigned parties. 

The Department's Annual Financial Report (DHS AFR) was issued on November 15, 2007 and consists 
of the Secretary's Message, Management's Discussion and Analysis, Financial Statements and Notes, an 
Independent Auditors' Report, Major Management Challenges, and other required information. The AFR 
was prepared pursuant to OMB Circular No. A- 1 3 6, Financial Reporting Requirements. 
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MEMORANDUM FOR: 



Richard L. Skinner, Inspector General 




FROM: 



Susan Shuback, Acting Chief Financial Officer 



SUBJECT: 



Draft Report: Independent Auditor's Report on FEMA 's 
FY 2008 Mission Action Plans 



Thank you for the opportunity to comment on the Draft Report: Independent Auditor 's 
Report on FEMA 's FY 2008 Mission Action Plans. We concur with the report's 
recommendations and will ensure corrective actions are implemented to respond to the 
report's findings. For example, we have added additional detailed milestones that will 
measure progress with material weaknesses in Actuarial and Other Liabilities, Budgetary 
Accounting and Capital Assets and Supplies. 
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To report alleged fraud, waste, abuse or mismanagement, or any other kind of 
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